T-Mobile confirms data breach, says 47.8 million people affected.
T-Mobile confirms data breach, says 47.8 million people affected
The T-Mobile data breach from earlier this week definitely happened, and it was indeed very bad.
According to the company, approximately 7.8 million current T-Mobile postpaid customer records were stolen, as well as "just over 40 million" records of "former or prospective customers who had previously applied for credit with T-Mobile."
While that may not be as bad as the 100 million stolen records initially reported by Vice, it's still a massive data breach and an embarrassment for T-Mobile, which apparently shut down the leak on its servers only after finding out about it on an online forum.
According to the company, some of the data stolen include customers' first and last name, date of birth, Social Security number, and driver's license or ID information. For postpaid accounts and former and prospective customers, no phone numbers, account numbers, PINs, passwords, or financial information was compromised.
For 850,000 active T-Mobile prepaid customers, it gets worse. T-Mobile says their phone numbers and account PINs were also exposed. T-Mobile says it has already reset all the PINs on the accounts, and it will be notifying them "right away." It's worth noting that no Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.
T-Mobile says it's taking immediate steps to help protect the customers affected. These include offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service, recommending all T-Mobile postpaid customers change their PIN, offering postpaid customers extra protection with its Account Takeover Protection feature, and publishing a web page on Wednesday with information related to the data breach.
There's no two ways about it: This is very, very bad. It's definitely positive that no financial information or passwords were compromised, but the data breach leaves T-Mobile customers open to identity theft and phishing attempts.
This is far from the first data breach T-Mobile has suffered — though it's definitely among the worst. The company suffered breaches, albeit on a smaller scale, in 2018, 2019, 2020, and earlier in 2021.
More in Cybersecurity
Oh, boy. Yet another year or two of completely, utterly, useless credit monitoring that does nothing to compensate me for the hours and hours of effort I will have to put in yet again due to a corporate data breach.
ReplyDeleteCredit monitoring is now the defacto response. Costs them next to nothing and costs customers months or years of headache.
ReplyDeleteWhen are these companies going to be held responsible?
Until it happens this thing going to happen. Responsibility is one thing legal accountability is other. no one is legally accountable so here we go. We really sorry and it's all evil hackers.
DeleteThere is no reason for any company to store your SSN beyond needing it for initial credit worthiness or possibly ID verification. Once that purpose is served, the number should be deleted immediately. If it's ever needed again, the process can be repeated.
ReplyDeleteBasically: I would much rather have to give it to you twice than trust you can store it safely for countless years.
This is frustrating. How does this keep happening with T-Mobile? And why are they storing SSNs and other sensitive data un-encrypted, or allowing access to so much data through a channel which decrypts the data? And PIN numbers shouldn't have to be stored in a manner in which they can be decrypted ever.
ReplyDeleteIt sounds like they've got some developers that aren't trained in how to handle data securely.
If you can extract bulk data with private user information like this, the problem is more in how they store it, not necessarily with the fact that it is stored. When designing your storage solution, it's important that each privacy field use not only encryption, but also a unique decoding key-- not 1 key for the entire record. It would appear that not only were those precautions not taken, but the data was likely stored unencrypted or the database file itself only had encryption. Whoever their IT security architect is, should be fired immediately.
DeleteSadly, that’s pretty common from what I can tell. I’m going to school for cyber security and it wasn’t until recent that data security was a huge focus.
DeleteAnd a lot of companies just live off of “it won’t happen to us” approach.
It sounds like the bosses wanted as cheap a system as possible - security takes time and money to implement properly.
DeleteMy 40+ years in software development tell me that that is probably a factor, but apathy and ignorance among developers is probably a bigger factor. Of the developers I’ve worked with over the years, few know how to handle encryption, and even fewer actually care or understand the need. I might be the only one among the bunch that cares and knows how to do it right. I’m currently contracting on a software package for the bio-pharma industry with a team of senior-level developers with many decades of experience each and encryption is still a mystery, and somewhat something seen as unnecessary, and too complicated to even attempt to them.
DeleteIt seems that very few developers understand the concepts at even a basic level. And the difficulty of using encryption libraries makes it seem not worth learning. Suitable libraries which are easy enough to use with good example code are essentially non-existent. I make a point of providing easy-to-use classes and functions for other developers for projects I’m working on, but I haven’t seen this happening anywhere else. And most online discussions about encryption are inaccurate and/or otherwise fundamentally flawed. Proper encryption shouldn’t have to be hard, but unfortunately most existing libraries make it really hard to do it right. It’s almost like those who do understand it don’t know (or take the time) to make it accessible, and usually do little to help with the more difficult tasks like storing, managing, and distributing keys.
I can't wait to join the class action suit against t-mobile for exposing my ssn, birth date, and other private info. Two years of identity protection doesn't begin to cover for what they did.
ReplyDeleteProblem is the Class Action suit will get you another 2-years of protection and the lawyers a big fat chunk of cash. :(
DeleteGreat, as long as the executives responsible for the huge failure pay the price for their ineptitude and sloppiness, I don’t care.
DeleteOh yeah, sorry, forgot that Congress decided 20 years ago that executives have zero obligations to protect the sensitive customer data they control. Expect executives to threaten customers with higher prices if fines are applied.
You're talking 2 different things, a Class Action lawsuit does nothing to the CEO or anyone else. The only good it does is to enrich the lawyers. I don't feel the need to go after the CEO... but the company needs to be hit with massive fines that are then distributed to all those impacted living in the US.
DeleteIt’s a good idea to lock or freeze your credit with the three agencies.
ReplyDeleteIdentify theft is rampant and the existing protections are extremely weak. When I froze my credit with Experian one of their security questions to confirm my identity was “how old will you be in 5 years time?”. Lame! The other questions were not much better.
It's like they don't even try. Almost all of the security questions are things an experienced hacker would've already learned.
DeleteThis is the problem with separate accounts for each service we use.
ReplyDeleteAs soon as we sort out a unique Digital ID that is stored only on secure devices we can avoid the hacks.
Companies should not be allowed to store personal ID and personal data.
It is an ancient concept that was exploited and abused in so many ways.
Let's build a better system that won't allow this to happen again.
same old story- step1 - Acknowledge theft _ minimal system was compromised
ReplyDeleteStep2 - 2days-1 week post step - substantial data lost - but not SSN
Step3 - 1 week later - only a part (prepaid/ postpaid/ partner carrier)- but SSN was stolen
Step4 - After exhaustive review - 50% user data compromised- not credit card data
Step5 - All user - All information compromised
By the time it is step6 news cycle moves to next and people forget how bad is the breach.
All companies wash and rinse same script .
Why it took so long to even confirm the data breach?
ReplyDeleteRealy very bad 😡😡😡
ReplyDeleteThat's why providing the high level of cybersecurity is very important even for giants... We need to pay more attention on this service!
ReplyDeletehttps://tenor.com/view/oh-shit-i-forgot-%E5%8D%A7%E6%A7%BD-that-face-gif-9676901
...just f.. great 1st the Chinese PLA stolen their 5G research for Huewei now the hackers stolen their data... what kind of people run the company here.
ReplyDeleteTo all you Canadian snowbirds who at one time purchase T-Mobile data packages or pre-paid cell phone services. You may wish to take particular note of this data breach.
ReplyDeleteFuga de información, brecha de seguridad... Casi nada.
ReplyDeleteMalaysian companies:
ReplyDeletehttps://giphy.com/gifs/laughing-scrubs-gif-3i7zenReaUuI0
Ah yes, the annual data breach :(
ReplyDeleteWell this is not great at all.
ReplyDeletehttps://tenor.com/view/my-god-barbie-doll-shocked-omg-gif-16958287
ReplyDelete